This example is an email containing the subject of ” Important secure information about your NatWest account” pretending to come from NatWest but actually coming from a look-a-like or typo-squatted domain secure@natwestmessage.com or secure@natwest-message.com with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan

If this email is not displayed correctly, please click here.
Click here to add this email to your safe list
Please refer to the Security section in the footer of this email for information about this.
From: Rowney, Sinead (Current Account)

To read the email, download the encrypted secure document and enter your password when requested. You will need Microsoft Office or any Doc readers to view your secure message.

You have received a new secure message:

We will never ask you for your full PIN and Password
Security information

For further information about the scheme (including amounts covered and eligibility to claim) please ask at your local branch, refer to the FSCS website www.fscs.org.uk or call 0800 678 1100.
Yours sincerely,
Sinead Rowney
Current Accounts
About this email
Please do not reply to this email, the address this email was sent from is not monitored. If you need to speak to us about this email, please refer to the Contact Us section of our website.

This email is only intended for the above addressee. If you are sure you are not the intended recipient of this email and have received it in error, please delete the email.

Security
We take your security seriously and are always looking for ways to improve this. We have started to use the second half of your postcode as an additional security feature on our emails. This easily recognisable piece of information is an additional way to help you identify that this email is likely to be from us. However, you should still treat all emails that appear to be from us with caution and continue to follow the existing email security advice below and at natwest.com/security

If emails do not contain partial postcode please treat them with your usual caution. Emails may not contain partial postcode if you have not provided this information to us or if you have recently changed address. If so, please contact your branch to update your address. If you suspect it is a phishing email please forward it to phishing@natwest.com

Many internet users have recently been targeted through bogus emails by fraudsters claiming to be from the Bank. These emails ask customers to provide personal details or Banking Security Information in order to reactivate an account or verify an email address. Please be on your guard against emails that request any of your security details. If you receive an email like this you should not respond. Please remember that, for security reasons, apart from when you create them at registration or when you change your Internet PIN or Password we will only ever ask you to enter random characters from your Internet PIN and Password when you log on to this service. We would never ask you by email to enter (or record) these details and we would therefore request that you do not respond to email asking for this information. If you think an email that appears to be from us is actually a phishing email, please forward it to phishing@natwest.com

For further information about this and Internet Security in general, please refer to natwest.com/security

Legal
This email message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please delete it from your computer. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.

We are authorised and regulated by the Financial Services Authority. Except for Consumer Credit where we are licensed by The Office of Fair Trading.

Screenshot:

Fake Natwest email

NatWest has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.

This malware docx file downloads from http://m-tensou.net/svoren.png which of course is not an image file but a renamed .exe file that gets renamed again ( VirusTotal)

An alternate download location is: http://interbanx.co.id/svoren.png

Fake Natwest message word doc

All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.

Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.

The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.

What can be infected by this

At this time, these malicious macros only infect windows computers. They do not affect a Mac, IPhone, IPad, Blackberry, Windows phone or Android phone. The malicious word or excel file can open on any device with an office program installed, and potentially the macro will run on Windows or Mac or any other device with Microsoft Office installed. BUT the downloaded malware that the macro tries to download is windows specific, so will not harm, install or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or Word. These Macros, embedded Oles or DDE do not run in “Office Online” Open Office, Libre Office, Word Perfect or any other office program that can read Word or Excel files.